CVE-2025-59799 – This CVE describes a stack-based buffer overflo... (How to Fix)

Q: What is the severity of CVE-2025-59799?

CVE-2025-59799 has a CVSS score of 4.3 (MEDIUM). This CVE describes a stack-based buffer overflow vulnerability in Artifex Ghostscript's PDF processing component. Attackers could exploit this by providing a specially crafted PDF with a large size value, potentially causing denial of service or arbitrary code execution. Systems using Ghostscript for PDF processing or conversion are affected.

📋 TL;DR

This CVE describes a stack-based buffer overflow vulnerability in Artifex Ghostscript's PDF processing component. Attackers could exploit this by providing a specially crafted PDF with a large size value, potentially causing denial of service or arbitrary code execution. Systems using Ghostscript for PDF processing or conversion are affected.

💻 Affected Systems

Products:

Artifex Ghostscript

Versions: All versions through 10.05.1

Operating Systems: All platforms running Ghostscript (Linux, Windows, macOS, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using Ghostscript to process PDF files is vulnerable. This includes many applications that use Ghostscript as a backend PDF processor.

📦 What is this software?

Ghostscript by Artifex

View all CVEs affecting Ghostscript →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the vulnerable Ghostscript process runs with elevated privileges.

🟠

Likely Case

Denial of service causing Ghostscript to crash, disrupting PDF processing services.

🟢

If Mitigated

Limited impact with proper sandboxing and privilege separation, potentially just a process crash.

🌐 Internet-Facing: MEDIUM - Exploitable if Ghostscript processes untrusted PDFs from external sources, but requires specific PDF processing workflows.

🏢 Internal Only: LOW - Typically requires user interaction or specific PDF processing workflows, reducing attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires crafting a malicious PDF file that triggers the buffer overflow. The attacker needs to deliver this PDF to a system that processes it with Ghostscript.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.05.2 and later

Vendor Advisory: https://bugs.ghostscript.com/show_bug.cgi?id=708517

Restart Required: No

Instructions:

1. Check current Ghostscript version with 'gs --version'. 2. Download and install Ghostscript 10.05.2 or later from https://www.ghostscript.com/. 3. For package managers: 'apt update && apt upgrade ghostscript' (Debian/Ubuntu) or 'yum update ghostscript' (RHEL/CentOS).

🔧 Temporary Workarounds

Disable PDF processing

all

Temporarily disable Ghostscript PDF processing if not essential

Sandbox Ghostscript

linux

Run Ghostscript in a container or with reduced privileges

docker run --security-opt=no-new-privileges ghostscript

🧯 If You Can't Patch

Implement strict input validation for PDF files before processing with Ghostscript
Isolate Ghostscript processes in containers or VMs with network restrictions

🔍 How to Verify

Check if Vulnerable:

Run 'gs --version' and check if version is 10.05.1 or earlier

Check Version:

gs --version

Verify Fix Applied:

After patching, run 'gs --version' to confirm version is 10.05.2 or later

📡 Detection & Monitoring

Log Indicators:

Ghostscript crash logs
Segmentation fault errors in system logs
Abnormal PDF processing failures

Network Indicators:

Unusual PDF file uploads to systems using Ghostscript

SIEM Query:

source="*ghostscript*" AND ("segmentation fault" OR "buffer overflow" OR "crash")

📊 Metadata

CVE ID: CVE-2025-59799

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CWE: CWE-121

EPSS Score: 0.02% exploit probability (4.2th percentile)

Published: September 22, 2025

Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59799, you might also want to check these: